Fortinet black logo

CLI Reference

dlp scan-rules

dlp scan-rules

Use these commands to prevent sensitive data from leaving your network.

Syntax

config dlp scan-rules

edit <rule_name>

config conditions

edit <condition_id>

set attribute {attachment | attachment_metadata | body | body_and_attachment | header | recipient | sender | sender_or_recipient | subject}

set file-pattern {archive | audio | encrypted | executable_windows | image | msoffice | openoffice | script | video}

set group-type {local | ldap}

set ldap-profile <profile_name>

set operator {contain | contain_file_pattern | contain_sensitive_data | empty | equal | external | internal | match | not_contain | not_equal | not_present | password_protected | present}

set sensitive-data {...}

set value <string>

config exceptions

edit <exception_id>

set attribute {attachment | attachment_metadata | body | body_and_attachment | header | recipient | sender | sender_or_recipient | subject}

set file-pattern {archive | audio | encrypted | executable_windows | image | msoffice | openoffice | script | video}

set group-type {local | ldap}

set ldap-profile <profile_name>

set operator {contain | contain_file_pattern | contain_sensitive_data | empty | equal | external | internal | match | not_contain | not_equal | not_present | password_protected | present}

set sensitive-data {...}

set value <string>

set description <string>

set condition-relation {and | or}

end

Variable

Description

Default

<rule_name>

Enter a descriptive name for the rule.

description <string>

Enter a description for the DLP scan rule.

condition-relation {and | or}

Define the relationship among conditions.

and

conditions

Configure matching or non-matching conditions to be scanned.

exceptions

Configure email matching exceptions that will not be scanned.

attribute {attachment | attachment_metadata | body | body_and_attachment | header | recipient | sender | sender_or_recipient | subject}

Select the condition/exception criteria attribute to be matched.

subject

file-pattern {archive | audio | encrypted | executable_windows | image | msoffice | openoffice | script | video}

Enter a filename pattern to restrict fingerprinting to only those files that match the pattern.

group-type {local | ldap}

Set whether the group is local or LDAP.

local

ldap-profile <profile_name>

Select your LDAP profile.

operator {contain | contain_file_pattern | contain_sensitive_data | empty | equal | external | internal | match | not_contain | not_equal | not_present | password_protected | present}

Enter the scan conditions (for example, contain or not_contain). Options available depend on what attribute is set to.

contain

sensitive-data {...}

Enter a predefined sensitive information term.

value <string>

Enter the attribute value in string format.

dlp scan-rules

Use these commands to prevent sensitive data from leaving your network.

Syntax

config dlp scan-rules

edit <rule_name>

config conditions

edit <condition_id>

set attribute {attachment | attachment_metadata | body | body_and_attachment | header | recipient | sender | sender_or_recipient | subject}

set file-pattern {archive | audio | encrypted | executable_windows | image | msoffice | openoffice | script | video}

set group-type {local | ldap}

set ldap-profile <profile_name>

set operator {contain | contain_file_pattern | contain_sensitive_data | empty | equal | external | internal | match | not_contain | not_equal | not_present | password_protected | present}

set sensitive-data {...}

set value <string>

config exceptions

edit <exception_id>

set attribute {attachment | attachment_metadata | body | body_and_attachment | header | recipient | sender | sender_or_recipient | subject}

set file-pattern {archive | audio | encrypted | executable_windows | image | msoffice | openoffice | script | video}

set group-type {local | ldap}

set ldap-profile <profile_name>

set operator {contain | contain_file_pattern | contain_sensitive_data | empty | equal | external | internal | match | not_contain | not_equal | not_present | password_protected | present}

set sensitive-data {...}

set value <string>

set description <string>

set condition-relation {and | or}

end

Variable

Description

Default

<rule_name>

Enter a descriptive name for the rule.

description <string>

Enter a description for the DLP scan rule.

condition-relation {and | or}

Define the relationship among conditions.

and

conditions

Configure matching or non-matching conditions to be scanned.

exceptions

Configure email matching exceptions that will not be scanned.

attribute {attachment | attachment_metadata | body | body_and_attachment | header | recipient | sender | sender_or_recipient | subject}

Select the condition/exception criteria attribute to be matched.

subject

file-pattern {archive | audio | encrypted | executable_windows | image | msoffice | openoffice | script | video}

Enter a filename pattern to restrict fingerprinting to only those files that match the pattern.

group-type {local | ldap}

Set whether the group is local or LDAP.

local

ldap-profile <profile_name>

Select your LDAP profile.

operator {contain | contain_file_pattern | contain_sensitive_data | empty | equal | external | internal | match | not_contain | not_equal | not_present | password_protected | present}

Enter the scan conditions (for example, contain or not_contain). Options available depend on what attribute is set to.

contain

sensitive-data {...}

Enter a predefined sensitive information term.

value <string>

Enter the attribute value in string format.